WPA Cracker cracks WiFi passwords in the cloud

WPA Cracker is a WiFi security compromiser in the cloud, running on a high-performance cluster. Send them a dump of captured network traffic and $35, and they will try 136 million passwords in 40 minutes, tops (for $17, they'll run the same attack at half speed) -- the same crack would take five days on a "contemporary desktop PC." They also have an extended, 284 million word dictionary that you can run for $55 in 40 minutes. They'll also use the same process to crack the passwords on encrypted ZIP archives.

You're safe if your password isn't in any dictionary, including the special dictionaries used for password cracking (these dictionaries will try random words in combination, as well as common letter-number substitutions such as "1" for "i" and so on). The crack works on WPA and WPA2-locked networks.

Your best bet is a long, random string for a password -- 64 bits of random noise will probably foil something like this for a good time to come. But good luck reading the password aloud to your visiting friend when she needs to get her laptop online.

Questions about WPA Cracker (via Schneier)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: cloud • Technology • wifi

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

Eris Siva

Or, you could install something like Tomato firmware on your router and use the Wireless filter with password.

That way they have to spoof a designated MAC address before they can even access the password feature. They’ll most likely head to someone else’s router first.
Tweeker

The better special dictionaries used for password cracking will include a lot of spatial keyboard patterns.
AirPillo

Or you can use WEP encryption…
- AirPillo
  
  Augh, monday mornings… WPA is the stronger of the two. Silly me.
- Steaming Pile
  
  Or maybe you can make your password wicked long, like several pages of text. Then it won’t matter if the text itself is readable, so long as you’re not quoting anything well-known, like Hamlet’s soliloquy or anything like that.
  
  Perhaps when every password is guessable, no matter how cryptic, we’ll have to make them so long that they’re no longer memorizable, so then you’d have to carry your password around on a thumb drive, and transmit your password when needed. This, of course, kind of violates the first commandment of system security, which is to keep them in your head, not your pocket, but I would think an unidentified thumb drive with some .txt files on it would be no less secure than your car keys.
  - Matthew Miller
    
    Perhaps when every password is guessable, no matter how cryptic, we’ll have to make them so long that they’re no longer memorizable, so then you’d have to carry your password around on a thumb drive, and transmit your password when needed.
    
    If you’re doing that, something like an RSA SecurID token, which generates clock-based one-use passphrases, is probably a better option. (In the software-token form, it’s essentially as you describe, except instead of sending the actual secret, you send a hash based on it.)
Lobster

Wait, so, you can pay more for a larger password database and greater chance to crack it?

Are you paying for a chance to crack it, or for the crack? If you’re paying them to crack it it seems ridiculous to pay for the more expensive one because if they fail then they haven’t lived up to their obligations and it should be their responsibility to make the matter right. If you’re paying for the chance then it seems ridiculous NOT to pay for the more expensive one since if the smaller database fails then that’s money wasted.
chris_s

This is why you should be using a pass-phrase not a password. It’s going to be a long time before a dictionary attack can take on something like “cory is my hero” as your WPA security code, but it’s still easy to remember and tell to a guest.
- Lobster
  
  Why is that? That’s just a 15-character password. It may be easier for you to remember than a random string but to a computer it’s exactly the same as the millions of other 15-character passwords.
Lady Katey

hmmm… my network passphrase is “wordword123465″ in which the number string is based on my phone number. It’s different from all my other passwords but easy to remember. And I don’t really have any sensitve information stored on my laptop. (Queue telling down from another commenter about how my bank accounts and identity will be ripped off because I have a copy of my tax return on my HD in 3…2…1…)

Another good password tactic I’ve found is using a phrase you can remember, but only the first and last letters of each word. “dtyuwtmebydtyuwtmeoh” would be an example.
- Anonymous
  
  that sounds very “Human League”.
- SkullHyphy
  
  “Don’t you want me baby, don’t you want me, oh”
Anonymous

Crack wifi WEP/WPA

/!\ http://www.cracker-wifi.com/ /!\

enjoy!
Anonymous

Or, just make your WiFi totally open and free. Like air. We all breathe it.

S
Burzmali

The two best recommendations I’ve seen are to use a misformed quote (i.e. “One small stpe for a man”) where the quote and the error are easy to remember, but the combination makes a dictionary attack infeasible, and to carry around a large written passward (27 characters etc) that has an easy to remember error or two in it (i.e. two characters transposed and the a space at the end) a la the Security Now podcast.
pretentious platypus

There are passwords I need to remember, but wireless certainly isn’t one of them (and yes, I do have friends). 63 characters of randomness and KeePass FTW.
rabidpotatochip

Two things I have to bring up:
1) Don’t use passwords, use passphrases.
2) If we’re still talking about wifi, you don’t need to know your passphrase. You can generate a random (or pseudo-random) passphrase then copy and paste it onto all the necessary devices.

My favorite trick for generating a passphrase is to take the nth letter of every word in a familiar phrase I’m unlikely to use in daily conversation and throw in some numbers and special characters for flavor.
- Caroline
  
  Definitely this. I like to take lyrics from a song, a line of poetry, or a prose quotation, and create strings from the nth letters of it (usually the first), replacing random letters with numbers and symbols in a non-consistent way. Sometimes I throw random symbols not in the source phrase, but that I can remember.
  
  It’s still not strictly random, letter frequencies in English being what they are. But it’s a lot harder to crack than a dictionary or semi-dictionary password. And it’s easy to remember — just sing the song, recite the poem or the quote to yourself, and you’re good to go.
  
  The trick is remembering a different one for each place you need a password/passphrase. I’ve resorted to a password-keeping program. Of course, that means my passwords are now only as secure as my computer. One does what one can. (And it’s better than keeping them written on paper or in a plaintext file, which I have seen otherwise intelligent, techy people do.)
  
  And less techy people? They’re still struggling with the idea that their computer login, Gmail account, Facebook account, and bank account are not all linked by the One Password To Rule Them All. It’s not just that they choose to use the same password everywhere — it’s that they don’t even grasp that they could use different ones. They just have a computer password, so it should work for all that computer stuff, right?
  
  The analogy of keys helps for many people. They grasp the concept that they have different keys to their home, car, office, toolshed. Once they understand that different computers and websites are actually different “places,” they grasp that they might want to use a different “lock and key” for each.
  
  Of course, it doesn’t stop them using obvious passwords. My husband works in IT and has stunned users who can’t remember their passwords by telling them “Try your dog’s name.” It invariably works, and they stare at him in terror. “How did you know? Are you psychic?”
  
  A list of the most common dog names would probably save even the time of a dictionary attackâ€¦
Major Buzzkill

This could help:

GRC’s Ultra High Security Password Generator

https://www.grc.com/passwords.htm
- Gilbert Wham
  
  now, see, if *I* ran a password generating site, all those generated passwords would be going straight in that dictionary.
  Just sayin’.
bardfinn

“But good luck reading the password aloud to your visiting friend when she needs to get her laptop online. ”

Alpha Bravo Charlie Delta Echo Foxtrot Golf Hotel Inigo Juliet Kilo Lima Mike November Oscar Papa Quebec Romeo Sierra Tango Uniform Victor Whisky X-ray Yankee Zulu Niner Zeh-ro.

And for hexadecimal, one only needs the first six of the above.
- bellhalla
  
  Doesn’t the ICAO spelling alphbet use India instead of Inigo? Or is that your point?
- Anonymous
  
  ‘Inigo’
  
  You killed my father prepare to die?
  
  Good phrase :D
- Anonymous
  
  Oh, they should have used “Unicorn” not “Uniform”!
caffeine addict

Joining a few words together is plenty secure enough to stop most of these rainbow attacks (for the moment at least).

That’s why I use ‘letmein’.

Hang on a sec… d’oh!
jonathan_v

you read the faq wrong:

> You can run your job against half of our CPU cluster for $17 US, or you can run it against the entire cluster for $35 US. The half-mode will take at most 40 minutes…. the full-mode will take at most 20 minutes.

So the $35 is for 20 minutes; the $17 is for 40.

This is really rad.
Anonymous

I’m not sure that 64 random characters is entirely necessary. It looks like they can only make 116,000 attempts per second; 280,000,000 in 40 minutes. This means that a 64 character password of random upper and lower case with numbers would take around 1,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 years to fully brute force. (give or take the age of the universe, maths never was my strong point).
bardfinn

What’s the passphrase? “Pedo Mellon a Minno” – ? What’s that mean?
WaylonWillie

before spending the $55, just try 12345 or 123454321. that is the password.
- johnphantom
  
  Haha Waylon, that reminds me. I see a medication doctor for my mental illness. One day, my ride forgot their keys in the office. Unfortunately, it was after 5PM and the door automatically locks.
  
  I banged on the door for a while. No one came, so I figured the hell with it, I might as well screw with the lock – at worst it would set off an alarm and someone would come let me in.
  
  First try: 1234. It worked. I had to tell my doctor that is really a bad idea for a passcode.
daneyul

Uh, all you people worrying about password strength didn’t read the “About Us” on their site:

“WPA Cracker is a cloud cracking service for penetration testers and network auditors who need to check the security of WPA-PSK protected wireless networks.”

So, it’s only for people testing or checking their own security. Whew! I can stick with using “password” on all my accounts!
Xopher

So…do you trust your credit card information to people whose raison d’etre is, frankly, theft? People who can’t be traced or identified?

If they CAN be traced or identified, what’s to stop some righteous person from hacking into them and destroying their systems? Not like they don’t deserve it. Bastards.

And yeah, I totally believe they’re just for penetration testers and so on. Just like the old Blueboy magazine was for women. It said so on the cover!
- daneyul
  
  >> And yeah, I totally believe they’re just for penetration testers and so on. Just like the old Blueboy magazine was for women. It said so on the cover!
  
  So, you’re saying that Blueboy magazine was also for penetration testers?
  - Xopher
    
    LOL that’s beyond precious. While I certainly wish I’d thought of it, I bow in admiration!
  - optuser
    
    heh. Heh hehe….
    
    HAHAHAAHAHAHAH [infinity]
    
    Thank you.
jowlsey

@Gilbert Wham I’ve used Steve Gibson’s site to generate random strings for quite awhile. If you’re a distrusting sort like me, you’ll copy / paste parts of the string around, and then just change a few charters. Keep it on a thumb drive (with a write only switch, natch) to share with your guests.
jowlsey

^^
read only switch
victorvodka

Wait, why exactly do people put passwords on their WiFi routers? I think it’s more because router manufacturers have made this the default configuration. Personally I prefer the happy Marxist Utopian hellscape that existed a few years ago when you could always get on someone’s router named “linksys.”
johnphantom

My password? I bang on the keyboard, using letters, numbers and odd things like a semi-colon. Put it in a .txt file and put it on a USB thumb drive, for others to use.
Anonymous

Or just try the factory setting: PASSWORD.
Glenn Fleishman

“Your best bet is a long, random string for a password”: Cory, that’s more than is necessary with WPA/WPA2.

Despite this cracking site and some other dictionary tools and sites, WPA/WPA2′s hashing algorithm for turning a passphrase into a long hexadecimal key remains intact. Brute force is the only solution.

In talking to Elcomsoft (the Russian firm that uses GPUs to crack keys, WPA and others), and other security researchers and crackers, it’s actually only necessary to have a key longer than 8 or 9 characters with no dictionary words present.

When you hit 10 characters and use a password like “a89adf0!8_”, it’s impossible with current technology to recover that key.

Several researchers have suggested that a memorable long phrase, a lyric from a song you like, for instance, with one bit of punctuation thrown in would take until the end of the universe to crack with known techniques.

(Quantum computing might put the lie to all that.)

Back in 2003, when I ran an article from a security researcher who exposed the “poor passphrase selection” weakness in WPA, he suggested that a 20-character password with no dictionary words would be vastly beyond breakability. Seven years later, crackers are up to maybe 9 characters.
Anonymous

There is another on-line wpa cracking service http://www.recoverwpa.com – they charging after, only if password was found in the handshake.

So you are paying for guaranteed password and not only for a chance of getting something.
Anonymous

Spatial patterns is a good way to have non-dictionary passwords that are easy to remember, some pattern on the keyboard that is easy to describe to visitors. Until someone gives you a belgian keyboard.